|
|
(38 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
− | Description of my personal network
| |
| | | |
− | =Network diagram=
| + | {{#tag:graphviz| |
| | | |
− |
| |
− | <graphviz border='frame' format='png' caption='Graph for example no. 1'>
| |
| graph network { | | graph network { |
− | hoerup [label="192.168.12.0/24"]
| + | node [fontsize=12] |
− | amstrup [192.168.2.0/24]
| + | edge [fontsize = 12] |
− | HSH [192.168.8.0/24]
| |
− | hoerup_microtik [192.168.12.16]
| |
| | | |
− | hoerup -- amstrup | + | hoerup [label="hoerup \n192.168.12.0/24"] |
− | hoerup -- HSH | + | hoerup_clients [label="hoerup clients \n192.168.20.0/24"] |
− | amstrup -- HSH | + | amstrup [label="amstrup \n192.168.2.0/24"] |
− | hoerup -- hoerup_microtik | + | HSH [label="HSH \n192.168.8.0/24"] |
− | }
| + | hoerup_microtik [label="hoerup/microtik\nlan=192.168.13.16\nsstp=dynamic" shape=box] |
| + | hoerupit [label="hoerupit \n 192.168.23.0/24" ] |
| + | it_microtik [label="it/microtik \n sstp=192.168.195.1\nlan=?" shape=box] |
| + | it_mgmt [label="it/mgmt \n192.168.211.0/24"] |
| | | |
| | | |
| | | |
| | | |
| + | hoerup -- amstrup [label="openvpn"] |
| + | hoerup -- hoerup_clients [label="openvpn"] |
| + | hoerup -- HSH [label="openvpn"] |
| + | hoerup -- hoerupit [label="openvpn"] |
| | | |
− | </graphviz>
| + | amstrup -- HSH [label="openvpn"] |
| + | hoerup -- hoerup_microtik [label="lan/192.168.13 alias"] |
| + | hoerup_microtik -- it_microtik [label="sstp (masqeraded srcnat)"] |
| + | it_microtik -- it_mgmt [label="lan"] |
| | | |
− | =IP Address=
| |
− | The network uses the RFC1918 private IP range 192.168.10.0/24
| |
− | All hosts get network information from the DHCP server, but some hosts get a fixed address based on MAC address.
| |
− | The dynamic range is 192.168.10.30-100.
| |
| | | |
− | =Host timon=
| |
− | Timon is the gateway and firewall for the network.
| |
| | | |
− | Timon runs the following services
| |
− | * Firewall
| |
− | **Homebuild iptables script with source / destination nat and forward filtering
| |
− | **DNAT
| |
− | ***http->rafiki
| |
− | ***smtp->rafiki
| |
− | ***openvpn->rafiki
| |
− | ***(mldonkey ports)->rafiki
| |
− | ***443->rafiki:22
| |
− | ***<strike>VNC->pumba</strike>
| |
− | **outgoing traffic is SNAT'ed
| |
− | *Traffic shaping
| |
− | *Static route: route add -net 192.168.20.0/24 gw 192.168.10.5
| |
− | *ISC DHCP Server
| |
− | **Serves IP addresses as described above
| |
− | *bind9 DNS server
| |
− | **Caching DNS server, uses <strike>ISP DNS</strike> OpenDNS for lookups
| |
− | **reverse lookup for 192.168.10.x and 192.168.20.x
| |
− | **local override for t-hoerup.dk (primarily to bind www.t-hoerup.dk etc. to the internal webserver address)
| |
− | *SSH server
| |
− | **For remote admininistration (only available from internal network)
| |
− | *TFTP
| |
− | **Used For PXE installations.
| |
− | *SNMP
| |
− | *cron
| |
− | **chkrootkit / rkhunter / ntpdate / logrotate / logwatch (logwatch recipient torben@t-hoerup.dk)
| |
− | *nullmailer
| |
− | **forwarding local-generated mail to rafiki
| |
− | **/etc/mailname:timon.t-hoerup.dk
| |
− | **/etc/nullmailer/remotes:rafiki.t-hoerup.dk
| |
| | | |
− | =Host Rafiki=
| |
− | Rafiki is the server
| |
| | | |
− | (VPN access is regarded as internal network access)
| |
| | | |
− | Unless specified otherwise the daemons listens on all network interfaces.
| |
| | | |
− | Rafiki runs
| |
− | *SSH server
| |
− | * Apache webserver
| |
− | ** With mod_php5, mod_dav_svn, mod_python, mod_proxy
| |
− | ** Hosts all vhosts listed in http://status.t-hoerup.dk/vhosts.php
| |
− | *** Hosts subversion repository
| |
− | ***Wiki
| |
− | ***Pastebin
| |
− | ***SQL webfrontends
| |
− | ***Is reverse proxy for those services that has their own http engine (such as mldonkey, and tomcat)
| |
− | *MySQL
| |
− | *PostgreSQL
| |
− | *Mldonkey for file download
| |
− | **bittorrent
| |
− | **donkey
| |
− | **overnet
| |
− | **basic HTTP
| |
− | *Squid http proxy
| |
− | **port 3128
| |
− | **Non caching
| |
− | **available to internal network only
| |
− | *Proftpd
| |
− | **File transfer - Only available to internal network (from outside scp/sftp should be used)
| |
− | *Postfix SMTP MTA
| |
− | *Dovecot IMAPd
| |
− | *OpenVPN
| |
− | ** TUN / UDP based
| |
− | **Listens on port 1494
| |
− | **Uses subnet 192.168.20.0/24 for tunnels
| |
− | **Full access to 192.168.10.0/24 available via vpn
| |
− | *Smokeping
| |
− | *App server: Sun Glassfish 2.1
| |
− | *smsdaemon
| |
− | *MRTG
| |
− | *webalizer
| |
− | *cron
| |
− | **chkrootkit / rkhunter / ntpdate / logrotate / logwatch (logwatch recipient torben@t-hoerup.dk)
| |
− | **torben's crontab
| |
− | ***05 */3 * * * /home/torben/bin/getmail-silent
| |
− | ***05 05 * * * cp /var/spool/mail/torben /home/torben/Mail/inbox-backup
| |
| | | |
− | =Access Point= | + | }|format="png"}} |
− | *SSID: hoerup
| |
− | *Encryption: WPA2-PSK
| |
− | *Channel: 6
| |